Office Vulnerabilities Chained to Deliver Backdoor

A recently observed malicious campaign is abusing two chained Office documents, each exploiting a different vulnerability, to deliver the FELIXROOT Backdoor, FireEye reports.

The attack starts with a lure RTF document claiming to contain seminar information on environmental protection. When opened, it attempts to exploit CVE-2017-0199 to download a second stage payload, which is a file weaponized with CVE-2017-11882 (the Equation Editor vulnerability).

Upon successful infection, the FELIXROOT loader component is dropped onto the victim’s machine, along with an LNK file that points to %system32%\rundll32.exe. The LNK file, which contains the command to execute the loader component of FELIXROOT, is moved to the startup directory.

The embedded backdoor component, which is encrypted using custom encryption, is decrypted and loaded directly in memory. The malware has a single exported function.

Upon execution, the backdoor sleeps for 10 minutes, then it checks to see if it was launched by RUNDLL32.exe along with parameter #1. If so, it performs an initial system triage before launching command and control (C&C) network communications.

In addition to gathering a variety of system information, the malware also reads registry entries for potential administration escalation and proxy information.

Based on received commands, the backdoor can fingerprint the infected machine, drop a file and execute it, launch remote shell, terminate connection to the C&C, download and run batch script, download file, and upload file.

Communication with the C&C server is performed over HTTP and HTTPS. Sent data is encrypted using AES encryption and arranged in a custom structure.

The malware contains several commands for specific tasks. Once it has executed all tasks, it clears all the footprints from the targeted machine, by deleting the LNK file, created registry keys, and the dropper components.

“CVE-2017-0199 and CVE-2017-11882 are two of the more commonly exploited vulnerabilities that we are currently seeing. Threat actors will increasingly leverage these vulnerabilities in their attacks until they are no longer finding success, so organizations must ensure they are protected,” FireEye notes.